Gloo Edge and Istio mTLS with older versions of Istio

This reference guide contains instructions for older versions of Istio (1.0 to 1.5). If you are running Istio 1.6, you can use the latest documentation here.

Serving as the Ingress for an Istio cluster – without compromising on security – means supporting mutual TLS (mTLS) communication between Gloo Edge and the rest of the cluster. Mutual TLS means that the client proves its identity to the server (in addition to the server proving its identity to the client, which happens in regular TLS).

Guide versions

Istio versions

This guide was tested with Istio 1.0.9, 1.1.17, 1.3.6, 1.4.3, and 1.5.1.

Gloo Edge versions

This guide was tested with Gloo Edge v1.3.1 except where noted.

Kubernetes versions

This guide was tested with GKE v1.15.

Please note that if you are running Kubernetes > 1.12 in Minikube, you may run into several issues later on when installing Istio in SDS mode. This mode requires the projection of the istio-token service account tokens into volumes. We recommend installing Istio in a cluster which has this feature turned on by default (for example, GKE).

Step 1 - Install Istio

Download and install

To download and install the latest version of Istio, follow the installation instructions here. You will need to set the profile to sds for this guide.

Previous releases can be found for download here.

For a quick install of Istio 1.0.6 or 1.0.9 (prior to SDS mode option) with mTLS enabled, run the following commands:

kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
kubectl apply -f install/kubernetes/istio-demo-auth.yaml
kubectl get pods -w -n istio-system

Use kubectl get pods -n istio-system to check the status on the Istio pods and wait until all the pods are Running or Completed.

SDS mode

In Istio 1.1, a new option to configure certificates and keys was introduced based on Envoy Proxy’s Secret Discovery Service (SDS). This mode enables Istio to deliver the secrets via an API instead of mounting to the file system as with Istio 1.0. This has two big benefits:

For more information on Istio’s identity provisioning through SDS take a look at the Istio documentation.

Step 2 - Install bookinfo

Before configuring Gloo Edge, you’ll need to install the bookinfo sample app to be consistent with this guide, or you can use your preferred Upstream. Either way, you’ll need to enable istio-injection in the default namespace:

kubectl label namespace default istio-injection=enabled

To install the bookinfo sample app, cd into your downloaded Istio directory and run this command:

kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

Step 3 - Configure Gloo Edge

If necessary, install Gloo Edge with either glooctl:

glooctl install gateway

or with helm:

kubectl create ns gloo-system; helm install --namespace gloo-system --version 1.3.20 gloo gloo/gloo

See the quick start guide for more information.

Gloo Edge is installed to the gloo-system namespace and should not be injected with the Istio sidecar. If you have automatic injection enabled for Istio, make sure the istio-injection label does not exist on the gloo-system namespace. See the Istio docs on automatic sidecar injection for more.

For Gloo Edge to successfully send requests to an Istio Upstream with mTLS enabled, we need to add the Istio mTLS secret to the gateway-proxy pod. The secret allows Gloo Edge to authenticate with the Upstream service.

The last configuration step is to configure the relevant Gloo Edge Upstreams with mTLS. We can be fine-grained about which Upstreams have these settings as not all Gloo Edge Upstreams may need/want mTLS enabled. This gives us the flexibility to route to Upstreams both with and without mTLS enabled - a common occurrence in a brown-field environment or during a migration to Istio.

Version-specific configurations for the gateway-proxy and the sample Upstream can be found below:

Edit the gateway-proxy with this command:

kubectl edit deploy/gateway-proxy -n gloo-system

Edit the Upstream with this command:

kubectl edit upstream default-productpage-9080 --namespace gloo-system

For Gloo Edge versions 1.1.x and up, you must disable function discovery before editing the Upstream to prevent your change from being overwritten by Gloo Edge:

kubectl label namespace default

To test this out, we need a route in Gloo Edge:

glooctl add route --name prodpage --namespace gloo-system --path-prefix / --dest-name default-productpage-9080 --dest-namespace gloo-system

And we can curl it:

curl -v $(glooctl proxy url)/productpage

Or access it in the browser:

HTTP_GW=$(glooctl proxy url)
## Open the ingress url in the browser:
$([ "$(uname -s)" = "Linux" ] && echo xdg-open || echo open) $HTTP_GW/productpage

Istio 1.0.x

Click to see configurations for Istio 1.0.x.

Istio 1.1.x

Click to see instructions for Istio 1.1.x.

Istio 1.3.x and 1.4.x

Click to see configuration for Istio 1.3.x/1.4.x.

Istio 1.5.x

Click to see configuration for Istio 1.5.x.

Istio 1.6.x

Click to see configuration for Istio 1.6.x.